dcrat | 5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe
Size

1.3MB
MD5

a453249139be7011703056dc1690d547
SHA1

66401ee801d6f8d13a00ae3d06e42e676a06d35c
SHA256

5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07
SHA512

2faa235d8dd89d065587ac1159e15bb40ad11df240d2b779afead014871ac8dd00be26597c048262f3f275f074d6e5a617d71ed58aada4fb359a0dc2c84baad7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2908	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001746a-12.dat	dcrat
behavioral1/memory/2304-13-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2320-41-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1168-151-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/1684-270-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2424-330-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2088-390-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/2804-509-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/1764-569-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2232-629-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1780-690-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2768-811-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1200	powershell.exe
2284	powershell.exe
1208	powershell.exe
448	powershell.exe
2972	powershell.exe
2064	powershell.exe
2012	powershell.exe
1020	powershell.exe
560	powershell.exe
1868	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2304	DllCommonsvc.exe
2320	cmd.exe
1168	cmd.exe
1744	cmd.exe
1684	cmd.exe
2424	cmd.exe
2088	cmd.exe
2724	cmd.exe
2804	cmd.exe
1764	cmd.exe
2232	cmd.exe
1780	cmd.exe
2556	cmd.exe
2768	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	cmd.exe
1960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
29	raw.githubusercontent.com
39	raw.githubusercontent.com
43	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\088424020bedd6	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Tasks\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\schemas\TSWorkSpace\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2664	schtasks.exe
848	schtasks.exe
2964	schtasks.exe
2880	schtasks.exe
1072	schtasks.exe
3028	schtasks.exe
1948	schtasks.exe
2180	schtasks.exe
2872	schtasks.exe
1504	schtasks.exe
2632	schtasks.exe
2708	schtasks.exe
2124	schtasks.exe
804	schtasks.exe
1816	schtasks.exe
2536	schtasks.exe
2652	schtasks.exe
2524	schtasks.exe
2868	schtasks.exe
1168	schtasks.exe
596	schtasks.exe
2004	schtasks.exe
2088	schtasks.exe
2744	schtasks.exe
2568	schtasks.exe
2748	schtasks.exe
1196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
560	powershell.exe
1868	powershell.exe
2064	powershell.exe
1208	powershell.exe
1200	powershell.exe
2012	powershell.exe
2972	powershell.exe
2284	powershell.exe
448	powershell.exe
1020	powershell.exe
2320	cmd.exe
1168	cmd.exe
1744	cmd.exe
1684	cmd.exe
2424	cmd.exe
2088	cmd.exe
2724	cmd.exe
2804	cmd.exe
1764	cmd.exe
2232	cmd.exe
1780	cmd.exe
2556	cmd.exe
2768	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	DllCommonsvc.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2320	cmd.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1168	cmd.exe
Token: SeDebugPrivilege	1744	cmd.exe
Token: SeDebugPrivilege	1684	cmd.exe
Token: SeDebugPrivilege	2424	cmd.exe
Token: SeDebugPrivilege	2088	cmd.exe
Token: SeDebugPrivilege	2724	cmd.exe
Token: SeDebugPrivilege	2804	cmd.exe
Token: SeDebugPrivilege	1764	cmd.exe
Token: SeDebugPrivilege	2232	cmd.exe
Token: SeDebugPrivilege	1780	cmd.exe
Token: SeDebugPrivilege	2556	cmd.exe
Token: SeDebugPrivilege	2768	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2076	2424	JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe	30
PID 2424 wrote to memory of 2076	2424	JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe	30
PID 2424 wrote to memory of 2076	2424	JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe	30
PID 2424 wrote to memory of 2076	2424	JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe	30
PID 2076 wrote to memory of 1960	2076	WScript.exe	31
PID 2076 wrote to memory of 1960	2076	WScript.exe	31
PID 2076 wrote to memory of 1960	2076	WScript.exe	31
PID 2076 wrote to memory of 1960	2076	WScript.exe	31
PID 1960 wrote to memory of 2304	1960	cmd.exe	33
PID 1960 wrote to memory of 2304	1960	cmd.exe	33
PID 1960 wrote to memory of 2304	1960	cmd.exe	33
PID 1960 wrote to memory of 2304	1960	cmd.exe	33
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	62
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	62
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	62
PID 2304 wrote to memory of 1200	2304	DllCommonsvc.exe	63
PID 2304 wrote to memory of 1200	2304	DllCommonsvc.exe	63
PID 2304 wrote to memory of 1200	2304	DllCommonsvc.exe	63
PID 2304 wrote to memory of 2012	2304	DllCommonsvc.exe	64
PID 2304 wrote to memory of 2012	2304	DllCommonsvc.exe	64
PID 2304 wrote to memory of 2012	2304	DllCommonsvc.exe	64
PID 2304 wrote to memory of 1868	2304	DllCommonsvc.exe	65
PID 2304 wrote to memory of 1868	2304	DllCommonsvc.exe	65
PID 2304 wrote to memory of 1868	2304	DllCommonsvc.exe	65
PID 2304 wrote to memory of 1208	2304	DllCommonsvc.exe	66
PID 2304 wrote to memory of 1208	2304	DllCommonsvc.exe	66
PID 2304 wrote to memory of 1208	2304	DllCommonsvc.exe	66
PID 2304 wrote to memory of 2284	2304	DllCommonsvc.exe	67
PID 2304 wrote to memory of 2284	2304	DllCommonsvc.exe	67
PID 2304 wrote to memory of 2284	2304	DllCommonsvc.exe	67
PID 2304 wrote to memory of 1020	2304	DllCommonsvc.exe	68
PID 2304 wrote to memory of 1020	2304	DllCommonsvc.exe	68
PID 2304 wrote to memory of 1020	2304	DllCommonsvc.exe	68
PID 2304 wrote to memory of 560	2304	DllCommonsvc.exe	69
PID 2304 wrote to memory of 560	2304	DllCommonsvc.exe	69
PID 2304 wrote to memory of 560	2304	DllCommonsvc.exe	69
PID 2304 wrote to memory of 448	2304	DllCommonsvc.exe	70
PID 2304 wrote to memory of 448	2304	DllCommonsvc.exe	70
PID 2304 wrote to memory of 448	2304	DllCommonsvc.exe	70
PID 2304 wrote to memory of 2972	2304	DllCommonsvc.exe	71
PID 2304 wrote to memory of 2972	2304	DllCommonsvc.exe	71
PID 2304 wrote to memory of 2972	2304	DllCommonsvc.exe	71
PID 2304 wrote to memory of 2320	2304	DllCommonsvc.exe	82
PID 2304 wrote to memory of 2320	2304	DllCommonsvc.exe	82
PID 2304 wrote to memory of 2320	2304	DllCommonsvc.exe	82
PID 2320 wrote to memory of 1764	2320	cmd.exe	84
PID 2320 wrote to memory of 1764	2320	cmd.exe	84
PID 2320 wrote to memory of 1764	2320	cmd.exe	84
PID 1764 wrote to memory of 2492	1764	cmd.exe	86
PID 1764 wrote to memory of 2492	1764	cmd.exe	86
PID 1764 wrote to memory of 2492	1764	cmd.exe	86
PID 1764 wrote to memory of 1168	1764	cmd.exe	87
PID 1764 wrote to memory of 1168	1764	cmd.exe	87
PID 1764 wrote to memory of 1168	1764	cmd.exe	87
PID 1168 wrote to memory of 2156	1168	cmd.exe	88
PID 1168 wrote to memory of 2156	1168	cmd.exe	88
PID 1168 wrote to memory of 2156	1168	cmd.exe	88
PID 2156 wrote to memory of 2236	2156	cmd.exe	90
PID 2156 wrote to memory of 2236	2156	cmd.exe	90
PID 2156 wrote to memory of 2236	2156	cmd.exe	90
PID 2156 wrote to memory of 1744	2156	cmd.exe	91
PID 2156 wrote to memory of 1744	2156	cmd.exe	91
PID 2156 wrote to memory of 1744	2156	cmd.exe	91
PID 1744 wrote to memory of 2056	1744	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a138379ac014130ce716402c2f058b79146d4f31afa6229a254e49f9c17cd07.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2492
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2236
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        10⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:604
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
        12⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2720
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        14⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2652
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        16⤵
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1844
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        18⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1060
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        20⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2536
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        22⤵
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2360
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        24⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1992
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        26⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2920
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        28⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1660
        
        C:\Users\Admin\Cookies\cmd.exe
        
        "C:\Users\Admin\Cookies\cmd.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2ec9e41a8aa7a2010410a76e6721159

SHA1
afe7cd9bd47fa94279ddee50dc0c8ef2f62c8d54

SHA256
e4c2151529ece313d29c31261502e2e008d2c16ed5464bc7e578a28072b5a9d8

SHA512
09e1534c176c38a6d7e4cc7cbc6d5cc6751c12cdc61332b944b731e943cebe1fc04f34713614dd44772e63e1c445844276ee45450d24715b65921ca41fc5cae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
280c13f41ad635207f002e1c4ccedcda

SHA1
eb11def86639cd229ce04ee24e7454ff0b9ede4b

SHA256
cedacc05bbea76cd7e32ce0412f0ab8560b1691cc60f44842d293431fd8d72ca

SHA512
a15381a888a905d35c7f5630e857b46d0c7cef18d7ed4a84c450d4f0bdac729b6b992127c11c3b4d9550e046545c2525eb3a0b9ffd0d72da2ca61f692c4f9c0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2312bdc81c1e6d7b0d0c1d9ccfaf19

SHA1
4230a39d78cc9540cc35ab1a6a5968192380a62c

SHA256
17d59ae7f04157c091b7ec453735bed44dd629bba9ed84e0d7841c2ea769425c

SHA512
a9b56d0514c3f3d5ecedd7c5b02ff9b1c82ace42f7e0718bb496aa6e640077b939723f8194b705c80ac6c9fe64c690188280b81a76923e0368114d4d793967b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd5271d327f9181fc45eee6c85f4c628

SHA1
ac1e7a4498213b6ec56f5e64473e44e9cd746aea

SHA256
d62f11f949b6470e03bc5310e2b39c241bb48f66a5a79a5c929d023abe7bd5f9

SHA512
6ce7f88594850e1e573a6ace85e18004f2ae5c4f4fd4996631139610d42d137628e8c7734d903aa915690ca1b371657a70d00419021cca58ca904752f18fd6c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9106d79a31e7ae2ec33dc0cde845393

SHA1
9519257e8bc10a422bcfd39aa54ebfa5fec0aabd

SHA256
0d02e6eeaf0214e43d4c0075f18c880d319ce073c92b28a0c08f9bbdf9449824

SHA512
7386f1822e59d922714f05162c6f71a558f4dbc8532a9fa07b6f2787e6f852721317e36624731ba32a8ecb817096e3192209155f2e2248d04dd8ea3a76148871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfbff4a2f15a60a5d9d6920b6370d7f3

SHA1
bc05dbd47d343882015a308c752feaebb6a6723f

SHA256
29e51f7da227d3d4a433b92a070a4a07fbd08214b863a0cb6ab229cdbd331fb8

SHA512
d7f8ec415ec8dc697edb5ecb917d0d4d1b8f047b9204a8fd42927c2ad5cfac3c10ca04ea53abbd76d7212170cb42100050ce211d4f8c73a9061f31e3ee1585c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da8ee6242159dd9ba1808624e9cadd83

SHA1
8a85bb84021f705c796915bd4f437ead832b8d1e

SHA256
23197ef9ba88bef6382209238b17754fe353b1c1964eff17a0c42cef77518e73

SHA512
f7a1b0d20e3e048222eda86957b8574bfbf361f35d93a0ac59f327f9682b7f2ca96463f8530bcf95a73b3fcbf3a04ecbdf12fd73cedfb072b9cdb7b106c2c344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87be2202386931573a9543c30019ea8e

SHA1
63e90ed2a6e5bcd68274b67318071087b8344c55

SHA256
5359de49b976dc68312e99f6fce438d51cc2b587cf6189ab11b5f9b29e6e6aa3

SHA512
81b69b52005eb1d861de9d7f547a39e714b7df81161e11b7290dcbe81d1696e4efcd70b87f7d678e273209d21e00add945d19e8098fae6783d214c51f5b4fd24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35a1bf59a8a97c99577d7d5e017316dd

SHA1
b81d90419cdc3956ef2929a68741ed21f8e84c5a

SHA256
88d2c6abf06b102d7c01b988872876cbb833032a02bd31bae062ab3df3a6def4

SHA512
ae6ec08f00226fc7b5102225a2a76f42f65f207115925b1a8694cf6b861056485e5b25e37c9e88b9e644525ff8feac936f241fc24578674f906df26f4e716546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c9a5d055af275b5d847072636286d22

SHA1
95a58e66fec0e8797139f13fab1f66f84ca3aaa0

SHA256
52757237cef355615ea219e5a6ac68c01aef40d07636a88addb38b07e26f9dfc

SHA512
84c53f5bdbe94d32a29aa4a7f9d024dfbe501646b6666ccab6202ee296cb939f3ac86a672207d23e800bb2f607fa4793c25d84fdfb0f799ceb47e3d4c4d1f7fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d77ba59c6dfb79e43ce5e6c27776147

SHA1
0708b18fd5543d0b9f02f4e0cf28e36be1e58a27

SHA256
8b1534ac0bb8cb4b84751640cbf9b2474768c4e5ccc02fb0a4934ba805ee6b77

SHA512
3b138eaea7bd676270580a1feac0c4fc6ecc0949d5007cb5c56f8a4518f93837dafefa7456440a73d3a5b8cca6482ccd6cb7289e30a68cb41b2e08cee0bf39e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
195B

MD5
808f5c22390033ee618e62dda48cacde

SHA1
43c8214a08c54719f073f9ce68c995283fd10e5c

SHA256
64ebf95ef376f3a6ed7c2eb88fb574d7addad5564143819ae59082b4108f7ebb

SHA512
3b6dd8adfe907954f6370e794d417a32151ba608a157704c308d541209ed5d1b9358b188b57a75517d511c048fbb7b6432f44185a6c325bc104c184bffc68370

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
195B

MD5
882a2548ea835214b3255cfdfca099e0

SHA1
8203e0856743c4e322aef0f634c9d39c04fe19aa

SHA256
1dd02dca8a7f0f373b26294e76bb2fc8e92d9d671dd582e06cf5c398cac868a0

SHA512
a39958410600e71851f6db146d7cc68918d68c04e30a2ed90b9d38e7a8d896fa4eb91b48292eb66539277acfa34529c1599ef456ac359ae6f450e8dbcb881fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
195B

MD5
93afcb265db3fcde98052169ee9011f2

SHA1
a7eefee20263194cdf48366a56ed78f803f2561d

SHA256
699a739eace50b59f6155343c385b0c242920f68a07330e006c14a00f8e9f23d

SHA512
c47dea2291434f89f878c4e79d9acc0786f152f516fe74ce7780ea04ff18a7b66c01f5021279734d3941bb3dea79f84430a6d89e4d4293e1f38f917f3162ae67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDC4D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
195B

MD5
bd676170ce65242268d1a893920cab0b

SHA1
a2c71d84c11832dd6564c2d90b1607162e860c74

SHA256
2be4d1f445cda659c7d5651f74cf0d02f1f91fb8df0220201477b77f633d1eb0

SHA512
6ea7d435b7d1e09a1e1be52c746cc4869d8edd8db0a75628e74634ce0d327039039ebee8cac63475f49e791ac8d611848ea27f6adf442d09d5d724112023417e

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
195B

MD5
7947da9abacb019742ebd9316510b952

SHA1
c5d4cc338fe47b2a9ec2c028c990182a706242df

SHA256
b2c6c1a3104cab0e26d50648dd55984f42339f68cf62be0a56abcab9608a72f3

SHA512
f27bae0378cce084055928b1a40acec23ebf38c29d67ea3b1301636bc14a4d98698b9fec331bf12065c1144af8460b41426e3e1adc14173a2799a4030eb1d934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
195B

MD5
9793a926a8b0858c9e7b2b860efd055b

SHA1
b92bc24d9a1e03eb8f402097bbba32cad8a5bff9

SHA256
8368027292d4968fbc580b6286726aeb253837b94d1154d2fa15d86a86b1b58e

SHA512
78e2003fdb4f60b959466dd775b51f27f872f5b1e3dfb690125c062158e64d865f3329aa5e3514915220f6fe473c3379df7d3f780c2abfd6a1ebdcee6fd00b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC6F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
195B

MD5
e75e893bafbbb49b6e3fdf669d44426e

SHA1
7cf18e59e08430b5eb2a9d244d0e554643da5282

SHA256
e18641def6976a7075c5d57955d715dcc8398b0297e4e37d6353a729f4347b2d

SHA512
41454ecfa3a553a281622c8a33960e40bf613e0635053e0fe9e1f904c9e55abf551e51fa6eb9b164516657bd4aebd28ef3f3214ba3f38f894ec1148b41c8078e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
195B

MD5
776417fb919e21754cda8a03b521ebd2

SHA1
328a8465bf22889b31525c1bee2344ba14c35da5

SHA256
7b58ed4b7c6193552813d0dc56995fdc6a5d77fb099b89a80554f42cf5dc859f

SHA512
b0a7e87f6860516597998cfb04c52264be59bdb8a0143d1eb36ebbb36812599611e665084502efb5bfe8d8993df1eb3bef26137750263d8b3d0c82eddf1a38bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
195B

MD5
05ecbe7213929db4a373ed6e1e275a95

SHA1
29d42b7b6e0fa8a4a02a8a6989e4754a04cf45c2

SHA256
3b406befecf2fc051f5a3ce409464f3523ea065b3469614f546ba10a536c89b8

SHA512
32fa8c3bc6fc64b3fcda74fc68d8ce969b2691b38cbe41902551fa55964cbac47e155c005b4f59730bf0faf0e3adb23aa9e4ae7bf098e2aa1ff011ff5123beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
195B

MD5
717d501c5a785f10a331f27ae60edd44

SHA1
fcc505273112b7f9e0abeda086e0ab4d485c7950

SHA256
12deb6715ca5937efcd38edf67330a04861b840ea0154864c204caa68a0edb41

SHA512
bed2721f9529afc611de79921a65edac7350b202c7bb5da4fe124bf63660f78a76cbc5258fbcc0acac6a7a921f1ef70a3994aaca072acaf3fe35bc3781d0bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

Filesize
195B

MD5
3fc242231bd1f32e58abe696ea24be19

SHA1
b02a2cf1f4c95c9cdcee89b58a883cb83a172972

SHA256
fe7978aea30516c3b06bb403c90bde2bde5961f5aa8e125bd48abb61d6a08488

SHA512
3f632d2069d33ea1c2bda3338bb3a5d0b139a2beebd16613cf3272c54668f9efa6fd63e196d955bb2235d294114d78b2fd736f97699991cb905d657e6d67c93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
195B

MD5
190619956e030bb63ba06de5c1e5b0b9

SHA1
81c0e6b2a7bfd5b5731ebdf0b92eb4981d675eb4

SHA256
8cdd86df2d805173d3a043c86c3123af9df13089b3685f4d613315e91f59fccc

SHA512
98717676861b79924a1b306d68b4f7efcb3198add3324a610c78b54317111e7bd6e769c3db00acc1f0d457acd3441105e9fc5512229f6421b131cdc8bd459c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6edaa2c3e9b15d6bb177345b669cd214

SHA1
a6407e14171d07fdaa30cd25fd4014451a6c2069

SHA256
7693062ee6c60dbedad59808f96c3c69a7d3be78968dd7aa43be369a2a55597a

SHA512
8992693c9d3b27f1afe0f02e30175977cb868acdcb09604e8fea2b61353107c116ada870d2230d279f8ebd9f8c19e4abe045ae32000a24780a41b2a516183e86

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/560-56-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/560-57-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1168-151-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-270-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1764-569-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1780-691-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1780-690-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2088-390-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2232-629-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2232-630-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2304-13-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2304-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2304-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2304-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2304-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2320-41-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-330-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2556-751-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2768-811-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2768-812-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2804-509-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download